Update 10/27/2017. Evaluation of the possibility of decryption. Ability to recover files. Verdicts.
On Tuesday, October 24, we received notifications of massive attacks using the Bad Rabbit ransomware (“Bad Rabbit”). Organizations and individual users were affected, mostly in Russia, but there were also reports of victims from Ukraine. Victims see this message:
Bad Rabbit belongs to a previously unknown ransomware family.
The malware is spread using a drive-by attack: the victim visits a legitimate website, and . The criminals did not use , so the user had to manually run a file disguised as an Adobe Flash installer to infect. However, our analysis confirms that Bad Rabbit used the EternalRomance exploit to spread within corporate networks. The same exploit was used by the ExPetr ransomware.
We found a number of hacked resources - all of them are news portals and media sites.
Most of the victims are in Russia. Similar but less massive attacks have affected other countries - Ukraine, Turkey and Germany. The total number of goals, according to KSN statistics, reaches 200.
We were able to trace the original attack vector at its very beginning, on the morning of October 24th. The active phase continued until noon, although individual attacks were recorded until 19.55 Moscow time. The server from which the Bad rabbit dropper was distributed was taken down that same evening.
According to our observations, now we are talking about a targeted attack on corporate networks, its methods are similar to those used during. Moreover, the analysis of the Bad Rabbit code showed its noticeable similarity with the ExPetr code.
According to our information, the ransomware will spread through a drive-by attack. The ransomware dropper is downloaded from hxxp://1dnscontrol[.]com/flash_install.php.
Victims are redirected to this malicious resource from legitimate news sites.
The downloaded install_flash_player.exe file must be manually launched by the victim. The file requires administrator rights to work properly, which it requests via a standard UAC notification. If launched, the malware saves the malicious DLL as C:Windowsinfpub.dat and launches it via rundll32.
Pseudocode of the procedure for installing a malicious DLL
Apparently, the infpub.dat library bruteforces NTLM credentials to Windows machines with pseudo-random IP addresses.
Hardcoded list of credentials
The infpub.dat library also installs a malicious executable dispci.exe v C:Windows and creates a task to run it.
Pseudocode of a procedure that creates a task to launch a malicious executable file
Moreover, infpub.dat acts like a typical ransomware: it finds the victim's data using a built-in list of extensions and encrypts the files with a public 2048-bit RSA key belonging to the attackers.
Attacker's public key and list of extensions
Public key parameters:
Public Key: (2048 bit)
modulus:
00:e5:c9:43:b9:51:6b:e6:c4:31:67:e7:de:42:55:
6f:65:c1:0a:d2:4e:2e:09:21:79:4a:43:a4:17:d0:
37:b5:1e:8e:ff:10:2d:f3:df:cf:56:1a:30:be:ed:
93:7c:14:d1:b2:70:6c:f3:78:5c:14:7f:21:8c:6d:
95:e4:5e:43:c5:71:68:4b:1a:53:a9:5b:11:e2:53:
a6:e4:a0:76:4b:c6:a9:e1:38:a7:1b:f1:8d:fd:25:
4d:04:5c:25:96:94:61:57:fb:d1:58:d9:8a:80:a2:
1d:44:eb:e4:1f:1c:80:2e:e2:72:52:e0:99:94:8a:
1a:27:9b:41:d1:89:00:4c:41:c4:c9:1b:0b:72:7b:
59:62:c7:70:1f:53:fe:36:65:e2:36:0d:8c:1f:99:
59:f5:b1:0e:93:b6:13:31:fc:15:28:da:ad:1d:a5:
f4:2c:93:b2:02:4c:78:35:1d:03:3c:e1:4b:0d:03:
8d:5b:d3:8e:85:94:a4:47:1d:d5:ec:f0:b7:43:6f:
47:1e:1c:a2:29:50:8f:26:c3:96:d6:5d:66:36:dc:
0b:ec:a5:fe:ee:47:cd:7b:40:9e:7c:1c:84:59:f4:
81:b7:5b:5b:92:f8:dd:78:fd:b1:06:73:e3:6f:71:
84:d4:60:3f:a0:67:06:8e:b5:dc:eb:05:7c:58:ab:
1f:61
Exponent: 65537 (0x10001)
style="font-family: Consolas,Monaco,monospace;">
The dispci.exe executable appears to be based on the code of the legitimate DiskCryptor utility. It acts as a disk encryption module and in parallel installs a modified bootloader, blocking the normal boot process of the infected system.
While analyzing samples of this threat, we noted an interesting detail: apparently, the authors of the malware are fans of the Game of Thrones. Some lines in the code are the names of characters from this universe.
Dragon names from Game of Thrones
Names of characters from Game of Thrones
As we already mentioned, the Bad Rabbit ransomware encrypts the victim's files and hard drive. The following algorithms are used for files:
This is a typical scheme used by ransomware.
Interestingly, the ransomware lists all running processes and compares the hash on behalf of each process with the list of hashes it has. At the same time, the hashing algorithm used is similar to the one used by the exPetr malware.
Comparison of Bad Rabbit and ExPetr hash procedures
Special branch of program execution
Runtime flag initialization procedure
Full list of hashes from process names:
| hash | Process name |
| 0x4A241C3E | dwwatcher.exe |
| 0x923CA517 | McTray.exe |
| 0x966D0415 | dwarkdaemon.exe |
| 0xAA331620 | dwservice.exe |
| 0xC8F10976 | mfevtps.exe |
| 0xE2517A14 | dwengine.exe |
| 0xE5A05A00 | mcshield.exe |
Partitions on the victim's hard drive are encrypted using the DiskCryptor dcrypt.sys driver (it is loaded into C:Windowscscc.dat). The encryptor sends the necessary IOCTL codes to this driver. Some functions are taken "as is" from the sources of DiskCryptor (drv_ioctl.c), others seem to have been added by the malware developers.
Disk partitions are encrypted by the DiskCryptor driver using AES in XTS mode. The password is generated by dispci.exe using the WinAPI CryptGenRandom function and is 32 characters long.
Our data shows that Bad rabbit, unlike ExPetr, was not created as a viper (we wrote earlier that the creators of ExPetr are technically unable to decrypt MFT encrypted with GoldenEye). The malware algorithm assumes that the attackers behind the Bad rabbit have the necessary means to decrypt it.
The data displayed on the screen of the infected machine as "personal installation key#1" is an RSA-2048 encrypted and base64 encoded binary structure that contains the following information from the infected system:
Attackers can use their RSA private key to decrypt this structure and send the password to decrypt the drive to the victim.
Note that the value of the id field that is passed to dispci.exe is just a 32-bit number used to distinguish between infected computers, and not the AES key for disk encryption, as some reports posted on the Internet said.
During the analysis, we extracted the password generated by the malware under debugging and tried to use it on the locked system after the reboot - the password came up and the download continued.
Unfortunately, it is impossible to decrypt data on disks without an attacker's RSA-2048 key: symmetric keys are safely generated on the side of the malware, which in practice excludes the possibility of their selection.
However, we found a bug in the dispci.exe code: the generated password is not removed from memory, which gives a small chance of extracting it before the dispci.exe process ends. In the screenshot below, you can see that while the dc_pass variable (which will be passed to the driver) will be safely erased after use, this is not the case for the rand_str variable, which contains a copy of the password.
Pseudocode for a procedure that generates a password and encrypts disk partitions
As we have already mentioned, the Trojan uses a typical file encryption scheme. It generates a random string of 32 bytes and uses it in the key derivation algorithm. Unfortunately, this string is generated using the CryptGenRandom function.
Key derivation algorithm
The encrypted password, along with information about the infected system, is written to the Readme file as "personal installation key#2".
An interesting fact: the malware does not encrypt files with the read-only attribute.
We found that Bad Rabbit does not delete shadow copies of files after they are encrypted. This means that if the shadow copy service was enabled before the infection and full disk encryption failed for some reason, the victim can recover encrypted files using standard Windows tools or third-party utilities.
Shadow copies unaffected by Bad Rabbit
Kaspersky Lab experts analyze the ransomware in detail to find possible flaws in its cryptographic algorithms.
Corporate clients of Kaspersky Lab are recommended to:
This should be enough. But as an extra precaution, we advise:
Kaspersky Lab products define this threat as:
http://1dnscontrol[.]com/
- install_flash_player.exe
-C:Windowsinfpub.dat
-C:Windowsdispci.exe
style="font-family: Consolas,Monaco,monospace;">
Back in the late 80s, the AIDS virus ("PC Cyborg") written by Joseph Popp hid directories and encrypted files, demanding about $200 for a "license renewal". At first, ransomware targeted only ordinary people using Windows computers, but now the threat itself has become a serious problem for businesses: more and more programs are becoming cheaper and more accessible. Extortion using malware is the main cyber threat in 2/3 of the EU countries. One of the most widespread ransomware viruses, CryptoLocker, has infected more than a quarter of a million computers in the EU since September 2013.
In 2016, the number of ransomware attacks increased dramatically, more than 100 times more than the previous year, according to analysts. This is a growing trend, and, as we have seen, completely different companies and organizations are under attack. The threat is also relevant for non-profit organizations. Since for each major attack, malware is upgraded and tested by attackers to "pass" through anti-virus protection, anti-viruses are usually powerless against them.
On October 12, the Security Service of Ukraine warned of the likelihood of new large-scale cyber attacks on government agencies and private companies, similar to the June epidemic of the encryption virus. Not Petya. According to the Ukrainian intelligence service, "the attack can be carried out using updates, including publicly available application software." Recall that in the case of an attack Not Petya, which the researchers associated with the BlackEnergy group, the first victims were companies using the software of the Ukrainian developer of the document management system M.E.Doc.
Then, in the first 2 hours, energy, telecommunications and financial companies were attacked: Zaporozhyeoblenergo, Dniproenergo, Dnipro Electric Power System, Mondelez International, Oschadbank, Mars, New Post, Nivea, TESA, Kiev Metro, computers of the Cabinet of Ministers and the government of Ukraine, shops "Auchan", Ukrainian operators ("Kyivstar", LifeCell, "UkrTeleCom"), Privatbank, Boryspil airport.
A little earlier, in May 2017, the WannaCry ransomware virus attacked 200,000 computers in 150 countries around the world. The virus swept through the networks of universities in China, Renault factories in France and Nissan in Japan, the telecommunications company Telefonica in Spain and the railway operator Deutsche Bahn in Germany. Due to blocked computers in UK clinics, operations had to be postponed, and the regional departments of the Russian Ministry of Internal Affairs could not issue driver's licenses. The researchers said North Korean hackers from Lazarus were behind the attack.
In 2017, encryption viruses reached a new level: the use of tools from the arsenals of American intelligence agencies and new distribution mechanisms by cybercriminals led to international epidemics, the largest of which were WannaCry and NotPetya. Despite the scale of the infection, the ransomware itself collected relatively insignificant amounts - most likely these were not attempts to make money, but to check the level of protection of networks of critical infrastructure of enterprises, government departments and private companies.
Bad Rabbit is a ransomware encryption virus. It appeared quite recently and is aimed mainly at the computers of users in Russia and Ukraine, as well as partially in Germany and Turkey.
The principle of operation of ransomware viruses is always the same: once on a computer, a malicious program encrypts system files and user data, blocking access to the computer using a password. All that is displayed on the screen is the virus window, the requirements of the attacker and the account number to which he demands to transfer money to unlock. After the mass distribution of cryptocurrencies, it became popular to demand a ransom in bitcoins, since transactions with them are extremely difficult to track from the outside. So does Bad Rabbit. It exploits operating system vulnerabilities, in particular in Adobe Flash Player, and infiltrates under the guise of an update for it.
After infection, BadRabbit creates the infpub.dat file in the Windows folder, which creates the rest of the program's files: cscc.dat and dispci.exe, which make their own changes to the MBR settings of the user's disk and create their own tasks similar to the Task Scheduler. This malware has its own website to pay the ransom, uses the DiskCryptor encryption service, encrypts with RSA-2048 and AE methods, and monitors all devices connected to this computer, trying to infect them too.
According to Symantec, the virus received a low threat status, and according to experts, it was created by the same developers as the viruses discovered a couple of months before Bad Rabbit, NotPetya and Petya, since it has similar operation algorithms. The Bad Rabbit ransomware first appeared in October 2017, and its first victims were the Internet newspaper Fontanka, a number of media outlets, and the website of the Interfax news agency. Beeline was also attacked, but the threat was averted in time.
Note: Fortunately, programs for detecting such threats are now more effective than before, and the risk of infection with this virus has decreased.
As in most cases of this type, to eliminate the threat, you can try to restore the Windows bootloader. In the case of Windows 10 and Windows 8, to do this, you need to connect the installation distribution of the system to a USB or DVD, and, after booting from it, go to the "Fix your computer" option. After that, you need to go to "Troubleshooting" and select "Command Prompt".
Now it remains to enter the commands one by one, each time pressing Enter after entering the next command:
After the performed operations - exit and reboot. Most often this is enough to solve the problem.
For Windows 7, the steps are the same, only there the “Command Prompt” is located in the “System Recovery Options” on the installation distribution.
You must be in Safe Mode with Networking to use this method. It is with network support, not a simple Safe Mode. In Windows 10, this can be done again through the installation distribution. After booting from it, in the window with the "Install" button, you must press the key combination Shift + F10 and enter in the field:
bcdedit /set (default) safeboot network
In Windows 7, you can simply press F8 several times while turning on the computer and select this boot mode from the list in the menu that appears.
After entering Safe Mode, the main goal is to scan the operating system for threats. It is better to do this through time-tested utilities such as Reimage or Malwarebytes Anti-Malware.
To use this method, you must again use the "Command line", as in the instructions above, and after running it, enter cd restore and confirm by pressing Enter. After that, you need to enter rstrui.exe. The program window will open, in which you can return to the previous restore point before the infection.
The end of October this year was marked by the emergence of a new virus that actively attacked the computers of corporate and home users. The new virus is a ransomware and is called Bad Rabbit, which means bad rabbit. With the help of this virus, the websites of several Russian mass media were attacked. Later, the virus was also found in the information networks of Ukrainian enterprises. The information networks of the subway, various ministries, international airports and so on were attacked there. A little later, a similar virus attack was observed in Germany and Turkey, although its activity was significantly lower than in Ukraine and Russia.
A malicious virus is a special plug-in that, after it enters a computer, encrypts its files. Once the information has been encrypted, attackers try to get rewards from users for decrypting their data.
Experts from the ESET anti-virus development laboratory analyzed the algorithm of the virus propagation path and came to the conclusion that it is a modified virus that spread like the Petya virus not so long ago.
ESET laboratory experts have calculated that malicious plugins were distributed from the 1dnscontrol.com resource and the IP address IP5.61.37.209. Several more resources are also associated with this domain and IP, including secure-check.host, webcheck01.net, secureinbox.email, webdefense1.net, secure-dns1.net, firewebmail.com.
Specialists investigated that the owners of these sites registered many different resources, for example, those through which, with the help of spam mailings, they try to sell counterfeit medicines. ESET specialists do not exclude that it was with the help of these resources, using spam and phishing, that the main cyber attack was carried out.
Specialists of the computer forensics laboratory investigated how the virus got on users' computers. It was found that in most cases the Bad Rabbit ransomware virus was distributed as an update to Adobe Flash. That is, the virus did not use any operating system vulnerabilities, but was installed by the users themselves, who, unaware of this, approved its installation, thinking that they were updating the Adobe Flash plugin. When the virus entered the local network, it would steal logins and passwords from the memory and spread to other computer systems on its own.
After the ransomware virus has been installed on the computer, it encrypts the stored information. Next, users receive a message indicating that in order to access their data, they must make a payment on the specified dark web site. To do this, you first need to install a special Tor browser. For the fact that the computer will be unlocked, the attackers extort payment in the amount of 0.05 bitcoin. Today, at a price of $5600 for 1 Bitcoin, this is approximately $280 for unlocking a computer. In order to make a payment, the user is given a time period equal to 48 hours. After this period, if the required amount has not been transferred to the attacker's electronic account, the amount increases.
Each of the computer users should remember that cybersecurity should come first when working on the network. Therefore, you should always monitor the use of only verified information resources and carefully use e-mail and social networks. It is through these resources that the spread of various viruses is most often carried out. Elementary rules of behavior in the information environment will eliminate the problems that arise during a virus attack.
Third major cyberattack in a year. This time a virus with a new name Bad Rabbit and old habits - data encryption and extortion of money for unlocking. And in the affected area are still Russia, Ukraine and some other CIS countries.
The Bad Rabbit acts according to the usual scheme: it sends a phishing email with an attached virus or a link. In particular, attackers may pose as Microsoft technical support and ask them to urgently open an attached file or follow a link. There is another distribution route - a fake Adobe Flash Player update window. In both cases, Bad Rabbit acts in the same way as the sensational not so long ago, it encrypts the victim's data and demands a ransom of 0.05 bitcoin, which is approximately $280 at the exchange rate on October 25, 2017. The victims of the new epidemic were Interfax, the St. Petersburg edition of Fontanka, the Kiev Metro, the Odessa airport and the Ministry of Culture of Ukraine. There is evidence that the new virus tried to attack several well-known Russian banks, but this idea failed. Experts link Bad Rabbit to previous major attacks recorded this year. Proof of this is the similar encryption software Diskcoder.D, and this is the same Petya encryptor, only slightly modified.
Experts recommend that owners of Windows computers create the "infpub.dat" file and place it in the Windows folder on the "C" drive. As a result, the path should look like this: C:\windows\infpub.dat. This can be done using a regular notepad, but with Administrator rights. To do this, we find the link to the Notepad program, right-click and select "Run as Administrator".
Then you just need to save this file to the address C:\windows\, that is, to the Windows folder on the C drive. Filename: infpub.dat, with "dat" being the file extension. Don't forget to replace the default notepad extension "txt" with "dat". After you save the file, open the Windows folder, find the created infpub.dat file, right-click on it and select "Properties", where at the very bottom you need to check "Read Only". Thus, even if you catch the Bad Rabbit virus, it will not be able to encrypt your data.
Do not forget that you can protect yourself from any virus simply by following certain rules. It sounds trite, but never open letters, and even more so their attachments, if the address seems suspicious to you. Phishing emails, that is, masquerading as other services, are the most common method of infection. Be careful what you open. If the attached file is called “Important document.docx_______.exe” in the letter, then you definitely should not open this file. In addition, you need to have backup copies of important files. For example, a family archive with photos or working documents can be duplicated on an external drive or cloud storage. Do not forget how important it is to use a licensed version of Windows and install updates regularly. Security patches are released by Microsoft on a regular basis and those who install them do not have problems with such viruses.
.jpg)
